TOP 10 CHALLENGES FOR INVESTMENT BANKS 2016

Cyber Security:Confronting the threat

Challenge 09

Introduction

By the very nature of their business, investment banks possess vast
quantities of highly sensitive information.

When such information is compromised—whether by
determined cyber criminals or individuals within the organization by
accident—the consequences, in terms of reputational damage and
monetary losses, could be significant.

Traditionally, investment banks have always been highly aware of
the importance of safeguarding customer and transaction data and
have taken all the steps deemed necessary to do so. In the current
environment, however—with organized cyber criminals running
industrialized hacking operations and freely selling and/or sharing
information about institutional vulnerabilities—investment banks
may be dealing with forces that cannot be addressed exclusively by
internal resources.

CYBER THREAT AWARENESS
AND PREPAREDNESS

ACTIVE TESTING

Proactively run inward-directed attacks and intentional failures to test their systems on a regular basis

LIKELIHOOD OF ATTACK

67%

Believe the likelihood of an attack is “very” or “extremely” high

PRIVACY BREACHES

68%

Believe there is a high likelihood of privacy breaches of personal data

Source: Accenture Research

RESULTS FROM ACCENTURE’S
2015 GLOBAL RISK
MANAGEMENT STUDY

APPLY “BIG-PICTURE” PRINCIPLES
TO CYBER SECURITY

A PERVASIVE CONCERN

In this environment, cyber security becomes not only a major challenge
for investment banks, but also a key responsibility of their boards of
directors and senior management teams. Boards and management
need to consider:

The organizational structure and reporting arrangements for cyber security operations.

The experience and expertise of the chief information security officer (CISO), and the need to balance industry knowledge against “street smarts” as they pertain to cyber issues.

Safeguarding data in a networked environment, which may encompass cloud data storage and the provision of services via the cloud.

Creating a culture that is both security-conscious and aware of the financial and reputational consequences of data breaches.

ADDRESSING STRUCTURAL ISSUES

For investment banks, effective cyber security begins at the top with the
board of directors and senior management. Firms need a structure that
recognizes the business issues connected to cyber security, while
providing the expertise needed to deal with specific and ever-changing
threats. Security models and tools are proliferating, creating complexity
and potentially compromising security, so an integrated approach is
needed to make the best use of new solutions.

A 2015 study conducted by Accenture and Ponemon Group found that
firms that displayed leadership in cyber security shared certain
characteristics, including immediate reporting of security incidents to the
CEO and board of directors, clear definition of responsibility and
authority pertaining to security, and effective communication of security
requirements to all employees.1 At leading companies, the CISO is more
likely to report directly to a senior executive, set the security mission by
defining strategy and initiatives, and have a direct channel to the CEO in
the event of a serious security incident. They also provide sufficient
resources for cyber security teams to deal with existing threats, while
researching and preparing for new types of attacks.

SECURING THE EDGE

New technologies—particularly those in the area of mobile
communications—are opening new horizons for investment banks and
their clients. Transactions are no longer limited to landline telephones or
desktop computers; mobile phones and tablets now serve as effective
platforms for many activities. However, the functionality of such devices
has often outpaced the ability of investment banks and other financial
services firms to protect customers’ privacy and prevent unauthorized access
to their accounts.

Investment banks that provide secure mobile applications could
differentiate themselves, but few have the technological sophistication to
do so today. Innovation often takes place at the tactical level, without the
benefit of a high-level, holistic view of security concerns. Investment
banks, like other financial services firms, need to find a balance between
maintaining security and providing an optimal customer experience.

DEFENDING THE DIGITAL INVESTMENT BANK

Enable business growth and secure operations

Defend the business from hostile adversaries

Enabling business resilience and brand trust by interlocking security strategy with business strategy

Addressing boardroom and C-Suite concerns about the security breaches on shareholder value, revenue and compliance

Reinventing security to be “digital friendly” by supporting user centricity and Internet scale, and addressing digital concerns such as big data, Internet of things and commerce

Gaining security-situational awareness across expanding business boundaries and developing a rapid-response capability

Developing solutions to manage technology and process security risks outside of direct organizational control while leveraging security “as a service”

ADOPTING NEW TECHNOLOGIES

Some players have begun exploring promising new technologies to
identify and prevent cyber incursions. Following in the footsteps of retail
banks that are using biometric authentication at automated teller
machines in certain countries, some investment banks are piloting voice
biometrics for added security and a better customer experience during
telephone transactions. Others are exploring new authentication
methods, such as social log-ins and risk- or content-based identification.
Although still in very early stages, such services may soon represent a
competitive advantage for firms with tech-savvy clients.

Investment banks can benefit from important features of new security
technologies, including the ability to identify anomalies in network
traffic, prioritize threats and provide advance warnings of possible
breaches. Whether business is conducted on an in-house legacy
platform or through the cloud, investment banks should regularly
evaluate their vulnerabilities. They can apply threat monitoring to
understand potential problems and leverage threat intelligence to
understand when cyber criminals (or rogue individuals within the
organization) are attempting to take advantage of such vulnerabilities.
In some cases, data visualization may help identify problematic
behavior—not only by cyber criminals, but also by customers,
counterparties and employees.

THE “BIG-PICTURE” APPROACH

For investment banks, the need to bring technology to market
quickly to maintain a competitive advantage—along with the
ever-evolving sophistication and boldness of cyber criminals—has
left cyber security struggling to catch up. Investment banks can benefit
from applying several “big-picture” principles to cyber security. In addition
to a “top-down” view starting with the board and senior management,
these include:

A proactive stance.

Accenture’s research and experience suggests
that investment banks should take a proactive approach toward cyber
security, continually monitoring, testing and experimenting with new
technologies. Reactive cyber defense is no longer sufficient to maintain
an effective security program and regulatory compliance.

A broad view of risk management.

Cyber risk should be considered
alongside traditional enterprise risks to more effectively inform risk
management decision making. In the Accenture 2015 Global Risk
Management Study, nearly two-thirds (65 percent) of financial services
executives surveyed said that cyber and IT risk would have an
increased impact on their business in the next two years and that they
are making talent and organizational decisions accordingly.2 Demand
for cyber security skills is escalating quickly.

A willingness to collaborate.

Investment banks’ internal cyber
security teams may have been capable of dealing with yesterday’s
threats. In the current environment, however, investment banks
will need not only outside expertise, but also effective collaboration with
cloud and other service providers to deal with emerging threats.
Investment banks may also need to increase their willingness to share
information regarding such threats with governments and industry
groups, including the Financial Services Information Sharing and
Analysis Center (FS-ISAC).

Attention to the “human factor.”

Many breaches occur as a result of
human error, negligence or failure to follow security protocols.
Privileged access management is a top risk in this area. Investment
banks should have organized and integrated programs to raise
awareness of security issues, encourage proper procedures and assign
responsibility when individuals are at fault. Insider threat networks
should be enhanced and user behavioral analytics should be deployed
to manage the human components, whether malicious or accidental.

CONTACTS

TIMOTHY ELLIOTT

CHARLIE JACCO

This content has been prepared by Accenture and is for information purposes. No part of this content may be reproduced in any manner without the written permission of Accenture. While we take precautions to ensure that the source and the information we base our judgments on is reliable, we do not represent that this information is accurate or complete and it should not be relied upon as such. It is provided with the understanding that Accenture is not acting in a fiduciary capacity. Opinions expressed herein are subject to change without notice.

Select your location

We were unable to find a match for "$searchstring." Try searching again by using different or more general keywords and check for spelling errors.

RECOMMENDED CONTENT

FILTER RESULTS

FILTER RESULTS

Connect with our Talent Community

Personalize your Accenture Career search and receive tailored news, insights and job alerts. Join our Talent Connection to learn more about the challenging and rewarding career opportunities offered by Accenture.